Firewall Recipe for DDOS Attack Prevention and Mitigation


Although you cannot “technically” stop a DDOS attack, there are ways to detect and automatically mitigate the  debilitating  effects on your public facing servers.  Below, we shed some light on how to accomplish this without spending hundreds of thousands of dollars on a full service security solution that may be overkill for this situation.

Most of the damage done by a targeted DDOS attack is the result of the overhead incurred on your servers from large volume of  fake inquiries into your network. Often with these attacks, it is not the volume of raw bandwidth  that is the issue, but the reduced the slow response time due to the overhead on your servers.

 

For a detailed discussion of how a DDOS attack is initiated please visit http://computer.howstuffworks.com/zombie-computer3.htm

zombie-computer-3d

We assume in our recipe below, that you have some sort of firewall device on your edge that can actually count hits into your network from an outside IP, and also that you can program this device to take blocking action automatically.

 

Note: We provide this type of service with our NetGladiator line.

Step 1 Calculate your base-line incoming activity.  This should be a running average of unique hits per minute or perhaps per second. The important thing is that you have an idea of what is normal. Remember we are only concerned with Un-initiated hits into your network, meaning outside clients that contact you without being contacted first.

 

Step 2 Once you have your base hit rate of incoming queries, then set a flag to take action ( step 3 below), should this hit rate exceed more than 1.5 standard deviations above your base line.  In other words if your hit rate jumps by statistically large amount compared to your base line for no apparent reason i.e .you did not mail out a newsletter.

 

Step 3 You are at step 3 because you have noticed a much larger than average hit rate of un-initiated requested into your web site. Now you need to look for a hit count by external IP. We assume that the average human will only generate at most a hit every 10 seconds or so, maybe higher. And also on average they will like not generate more than 5 or 6 hits over a period of a few minutes.  Where as a hijacked client attacking your site as part of a DDOS attack is likely to hit you at a much higher rate.  Identify these incoming IP’s and go to Step 4

 

Step 4 , block these IP’s on your firewall for a period of 24 hours. You don’t want to block them permanently because it is likely they are just hijacked clients ,and also if they are coming from behind a Nat’d community ( like a University) you will be blocking a larger number of users who had nothing to do with the attack.

 

If you follow these steps you should have a nice pro-active watch-dog on your firewall to mitigate the effects of any DDOS attack.

 

For further consulting on DDOS or other security related issues feel free to contact us at admin@apconnections.net

NetEqualizer News: January 2015


January 2015

Greetings!

Enjoy another issue of NetEqualizer News! This month, we highlight leasing a NetEqualizer with NO contract, discuss our new IPv6 shaping process, share a recent case study, and preview our 2015 price adjustments. As always, feel free to pass this along to others who might be interested in NetEqualizer News.

A message from Art…
Art Reisman, CTO – APconnections

As we kick off 2015, I am knee-deep once again in architecting solutions, which many of you know is what I love to do most! It feels good to start 2015 following my passion – I hope you are committing or re-committing to spend time doing those things that you love most. art

Speaking of architecture, this month I share with you the upcoming IPv6 Release (8.1v6) design. I also am excited to include our latest Case Study; we have captured Lutheran Health Network’s experience with the NetEqualizer. This large-scale NetEqualizer implementation is a great read, particularly for customers with multiple sites using varying bandwidths. And finally, we give you a preview of 2015 pricing. Some good news here – we have reduced prices on two license levels!

We love it when we hear back from you – so if you have a story you would like to share with us of how we have helped you, let us know. Email me directly at art@apconnections.net. I would love to hear from you!

The Joy of Leasing

In 2015, we are continuing our popular no-contract, monthly Leasing Program.

This program works best for several types of customers:leasing

1) Customers who need to align monthly expenditures with a monthly revenue stream.

2) Customers with limited budgets that need to reduce their upfront costs.

3) Customers who would like user-based pricing.

Why is leasing a NetEqualizer joyful? We think that our leasing program is superior to what you would find through a typical 3rd party lessor. We keep the process simple, and make it easy for you to participate. In fact, we started this program because we were tired of the long drawn-out process full of tons of paperwork, signatures, and waiting, while trying to work with lessors on behalf of our customers. We decided that we could do this better, and we think we have!

We have found this model popular, as customers can immediately get the benefits of a full-featured NetEqualizer without committing to a large upfront expenditure. And, there is no long-term commitment; if your needs change in the future, you can exit or modify your Lease Program as needed.

This model works well for businesses that would like to align their shaping costs with the number of users they have on their network, rather than the size of their network pipe. In smaller businesses, this enables customers to better align their costs with their actual potential revenue stream rather than their network size.

In the past several years, we have seen Schools, Business Centers and Internet Service Providers participate in our Monthly Leasing Program.

If this sounds of interest to you, call us to discuss or check out our Leasing Program to see if it meets your needs!

sales@apconnections.net
-or-
303-997-1300

Please note that the NetEqualizer Leasing Program is currently only available to customers in the United States and Canada.


Architecting the IPv6 Release (8.1v6)

We have word from a few customers running dual stacks that they do have enough IPv6 traffic that it needs to be addressed in the NetEqualizer shaper, especially during peak traffic times.

Now that IPv6 is becoming a reality in many networks, I am focusing my efforts on architecting our solution, which I share here:

We realized early on in our design choices that a customer running a dual stack may have two addressing schemes, but they still have one bandwidth link to shape as a whole. In other words, all the shaping decisions will be based on the total bandwidth across both sets of addresses, and not a separate decision for IPv6 and IPv4.

With that decision, the easiest way to accomplish this for reporting and shaping was to trick the IPv6 traffic into an IPv4 format, which is what we are going to do.

We examined real IPv6 traffic on a live network, and as expected the upper bytes in the address rarely, if ever, change. So by taking the lower 24 bits of the IPv6 address and mapping that into a locally unique IPv4 address, we can show and shape all the traffic in one table.

We will have Beta versions of 8.1v6 ready to run in late February. At that time we will also have examples and documentation on how to track and shape your IPv6 traffic on the NetEqualizer.

Stay tuned here to learn more about our IPv6 Release this Spring! And if you have any thoughts or input on IPv6 that you would like to share, shoot me an email at art@apconnections.net.


Case Study: Lutheran Health Networkcasestudy

Recently we received feedback from Lutheran Health Network (LHN) on how their NetEqualizer’s have helped to optimize their network infrastructure. It was so much great information that we captured it as a Case Study to share with you.

Jason Whiteaker, a Senior Network Engineer at LHN, describes their environment, what challenges they faced, solutions considered, and the great results they have had with the NetEqualizer in place. Read the full Case Study here to see how the NetEqualizer has been a technical and political “win-win” for the network team.

This Case Study demonstrates how the NetEqualizer works well in hub and spoke environments. To read more about how effective the NetEqualizer is at hub and spoke shaping, check out our blog article on the subject.


2015 NetEqualizer Pricing Preview

As promised in last month’s newsletter, all newsletter readers can now get an advance peek of our 2015 NetEqualizer Pricing! For a limited time, you can now preview of our 2015 Pricing here without registration. You can also view the Data Sheets for each model once in the 2015 Price List.

Our 2015 Pricing will be effective February 1st, 2015.

Key changes for 2015:

– Due to popular demand, we are adding two license levels to the NE3000 series: 500Mbps and 750 Mbps.
– Exciting news for folks looking at 100 or 150Mbps licenses. We have reduced prices on the 100Mbps and 150Mbps license levels, to better align our pricing model.
– And finally, as we are seeing more customers moving to higher bandwidth levels, we have decided to no longer offer the 10Mbps license in 2015.

If you are interested in user-based pricing, we are continuing to offer our Monthly Lease Program in 2015. You can read more about that in The Joy of Leasing in this month’s newsletter.

We will be using 2014 pricing through January, and all current quotes using the pricing will be honored for 90 days from the date the quote was originally given. However, if you have an outstanding quote on a 100 or 150Mbps unit, we will be happy to update it for you to use the new lower pricing.

We also continue to offer license upgrades on our newer NE2000’s. Remember that if you have a NE2000 purchased on or after August 2011, it is eligible for license upgrades and support. If you have an older NE2000, please contact us to discuss a trade-in.

If you have questions on pricing, feel free to contact us at:

sales@apconnections.net
-or-
303-997-1300


Best Of The Blog

How Does Your ISP Actually Enforce Your Internet Speed?

By Art Reisman – CTO – APconnections

Have you ever wondered how your ISP manages to control the speed of your connection? If so, you might find the following article enlightening. Below, we’ll discuss the various trade-offs used to control and break out bandwidth rate limits and the associated side effects of using those techniques…

Photo Of The Month
bird
Roseate Spoonbill from Merritt Island National Seashore
The best thing NASA did besides going to the moon was preserving miles and miles of shoreline on the east coast of Florida near Cape Canaveral. The Merritt Island bird loop is better than the wild animal safari you can take over at Disneyland, alligators and exotic birds like you have never seen before.

Changing times, Five Points to Consider When Trying to Shape Internet Traffic


By Art Reisman, CTO, APconnections www.netequalizer.com

1 ) Traditional Layer 7 traffic shaper methods are NOT able to identify encrypted traffic. In fact, short of an NSA back door, built into some encryption schemes, traditional Layer 7 traffic shapers are slowly becoming obsolete as the percentage of encrypted traffic expands.
2 ) As of 2014, it was estimated that up to 6 percent of the traffic on the Internet is encrypted, and this is expected to double in the next year or so.
3) It is possible to identify the source and destination of traffic even on encrypted streams. The sending and receiving IP’s of encrypted traffic are never encrypted, hence large content providers, such as Facebook, YouTube, and Netflix may be identified by their IP address, but there some major caveats.

– it is common for the actual content from major content providers to be served from regional servers under different domain names (they are often registered to third parties). Simply trying to identify traffic content from its originating domain is too simplistic.

– I have been able to trace proxied traffic back to its originating domain with accuracy by first doing some experiments. I start by initiating a download from a known source, such as YouTube or Netflix, and then I can figure out the actual IP address of the proxy that the download is coming from. From this, I then know that this particular IP is most likely the source of any subsequent YouTube. The shortfall with relying on this technique is that IP addresses change regionally, and there are many of them. You cannot assume what was true today will be true tomorrow with respect to any proxy domain serving up content. Think of the domains used for content like a leased food cart that changes menus each week.

4) Some traffic can be identified by behavior, even when it is encrypted. For example, the footprint of a single computer with a large connection count can usually be narrowed down to one of two things. It is usually either BitTorrent, or some kind of virus on a local computer. BitTorrents tend to open many small connections and hold them open for long periods of time. But again there are caveats. Legit BitTorrent providers such as Universities distributing public material will use just a few connections to accomplish the data transfer. Whereas consumer grade BitTorrents, often used for illegal file sharing, may use 100’s of connections to move a file.

5)  I have been alerted to solutions that require organizations to retrofit all endpoints with pre-encryption utilities, thus allowing the traffic shaper to receive data before it is encrypted.  I am not privy to the mechanics on how this is implemented, but I would assume outside of very tightly controlled networks, such a method would be a big imposition on users.

Net Neutrality must be preserved


As much as I hate to admit it , it seems a few of our Republican congressional leaders are “all in”, on allowing large content providers privileged priority access on the Internet. Their goal for the 2015 congress is to thwart the President and his Mandate to the FCC on net neutrality.

Can you imagine going to visit Yosemite National park and being told that the corporations that sponsor the park  have taken all the campsites ? Or a special lane on the Interstate dedicated exclusively for Walmart Trucks ?  Like our highway system, and National parks, the Internet is a resource shared by all Americans.

I think one of the criteria for being a politician is  a certification that you flunked any class in college that involved critical or objective thinking, for example, this statement from  Rep Marsha Blackburn

“Federal control of the internet will restrict our online freedom and leave Americans facing the same horrors that they have experienced with HealthCare.gov,”

She might as well compare the Internet to the Macy’s parade, it would make about as much sense; the Internet is a common shared utility similar to electricity and roads, and besides that, it was the Government that invented and funded most of the original Internet. The  healthcare system is complex and flawed because it is a socialistic re-distribution of wealth, not even remotely similar to the Internet.  The internet  needs very simple regulation to prevent abuse,  this is about the only thing the government designed to do effectively.

And then  there is this stifle innovation argument…

Rep. Bob Goodlatte, chair of the House Judiciary Committee, said he may seek legislation that would aim to undermine the “FCC’s net neutrality authority by shifting it to antitrust enforcers,” Politico wrote.

Calling any such net neutrality rules a drag on innovation and competition

Let me translate for him because he does not understand or want to understand the motivations of the lobbyist when they talk about stifling innovation.

My Words “Regulation , in the form of FCC imposed net neutrality, will stifle the ability of the larger access providers and content providers from creating a walled off garden, thus stifling their pending monopoly on the Internet.  ”

There are many things where I wish the Government would keep their hands out of , but the Internet is not one of them. I must side with the FCC and the President on this one.

NetEqualizer News: December 2014


December 2014

Greetings!

Enjoy another issue of NetEqualizer News! This month, we discuss our recent K-12 Schools award, introduce IPv6 shaping for NetEqualizer, and remind everyone of 2015 pricing changes. As always, feel free to pass this along to others who might be interested in NetEqualizer News.

A message from Art…
Art Reisman, CTO – APconnections

As we close out 2014, I smile as I think of what this year has taught me, both professionally and art_smallpersonally. Professionally, I now know that IPv6 really will be a reality in 2015, as you will read more about below. I have also learned that sometimes surprises are good – as we share with you that we received an unanticipated (but very welcome!) award from District Administration (a K-12 Schools publication) this month.

And personally, I learned that at my age I need to make sure to hydrate before a long run!

We love it when we hear back from you – so if you have a story you would like to share with us of how we have helped you, let us know. Email me directly at art@apconnections.net. I would love to hear from you!

We Are Honored! NetEqualizer is a K-12 School Top 100 Product in 2014

We have always known that the NetEqualizer is great (you have too!), but it is wonderful when it is validated by an independent publication. Recently we learned that we were honored in the December 2014 edition of District Administration, a publication geared to K-12 School leadership.

NetEqualizer made the 2014 list of Top 100 Products for K-12 Schools! DA_top100_2014v2

The December 2014 Cover Story is the annual Top 100 Products, viewable in the District Administration online edition. According to the article, there were 2,400 unique nominations for the Top 100 this year, up from 1,800 in 2013. Winners were selected by the editorial board based on quality and quantity of the testimonials submitted from readers.

So, a big THANK YOU to the readers that submitted us for inclusion in the Top 100! We would not have received this honor without you. We truly appreciate you taking the time to say nice things about us, especially as we rely heavily on word of mouth to get our story out to our customers. If you would like to see our listing, we are on the bottom of page 52.

As we have not advertised in this publication in the past, and did not solicit inclusion for this award in any way, this took us completely (and happily) by surprise.

As Lauren Williams of District Administration mentions in her introduction to the winners, “This annual award alerts superintendents and other senior school leaders to the best products their colleagues around the country are using to help their districts excel.”

If you have not seen the winners, take a look, you might find a product that is a good fit for your K-12 School.


2015 Pricing Coming Soon

As we close out 2014, just a reminder that we are still writing quotes using our 2014 pricing, and the quotes are good for 90 days. If you are thinking of trading-in your current NetEqualizer, upgrading your license level, or getting another NetEqualizer, now is a good time to get a quote from us.

We will be using 2014 pricing through January, and all current quotes using the pricing will be honored for 90 days from the date the quote was originally given.

Look for a preview of our 2015 Pricing in our January Newsletter. Our 2015 Pricing will be effective February 1st, 2015.


Ready or Not, Here Comes IPv6!

Just this past month, we have seen several customers begin to see 10% or more IPV6 traffic on their networks when they turned on their IPv4/IPv6 dual stack.

As you may know, today IPv6 traffic is viewable under the Management & Reporting menus. To see any IPv6 traffic that you have on your network, select View Current Activity -> View Active Connections -> Active IPv6 Connections.

However, as IPv6 has historically been a small percentage of overall network traffic, we have not focused our engineering resources to-date on adding IPv6 shaping.

That is about to change! To address the increase in IPv6 traffic, we plan on putting out a winter release with a dual stack of our own. Our goal is to have code ready for an initial beta test in early February.

Our engineering team has come up with a cool way to handle dual address schemes. The NetEqualizer dual stack will map IPv6 addresses into unused IPv4 addresses – so that you will be able to track, shape, and equalize IPv6 on a standard NetEqualizer.

If you are interested in hearing more, please contact us:

sales@apconnections.net
-or-
303-997-1300


Best Of The Blog

Case Study: A Simple Solution to Relieve Congestion on Your MPLS Network

By Art Reisman – CTO – APconnections

We recently installed a NetEqualizer for a national healthcare company connecting hundreds of hospitals and clinics to a central location. We were able to solve all their congestion issues on their MPLS network, while saving them tens of thousands of dollars over other solutions. The centralized NetEqualizer solution is so elegant and simple that large IT departments, who are often wined and dined by vendors with expensive WAN optimization solutions, have hard time believing that we can solve their WAN issues at a fraction of the cost. In the coming weeks, we will release a detailed case study featuring this customer.

For now, here is the original blog article that explains our spoke and hub technology…

The problem:
A customer has a hub and spoke MPLS network where remote sites get their public Internet and corporate data by coming in on a spoke to a central site. Although the network at the host site has plenty of bandwidth, the spokes have a fixed allocation over the MPLS and are experiencing contention issues (e.g. slow response times to corporate sales data, etc.)…

Photo Of The Month
235
Landon Donovan
Landon Donovan is widely considered to be the best soccer player to ever come out of the United States. He has played for multiple national and international clubs. On August 7, 2014, Donovan announced that he would be retiring at the end of the 2014 Major League Soccer season; the season ended with the Galaxy winning their fourth MLS Cup of the Donovan era on Sunday December 7, 2014. This photo was taken by one of our staff members at a game last summer.

We are Honored! NetEqualizer is a K-12 School Top 100 Product in 2014


We have always known that the NetEqualizer is great (you have too!), but it is wonderful when it is validated by an independent publication.  Today we learned that we were honored in the December 2014 edition of District Administration (http://www.districtadministration.com/), a publication geared to K-12 School leadership.

NetEqualizer made the 2014 list of Top 100 Products for K-12 Schools!

The DDA_top100_2014v2ecember 2014 Cover Story is the annual Top 100 Products, viewable here in the District Administration online edition. According to the article, there were 2,400 unique nominations for the Top 100 this year, up from 1,800 in 2013.  Winners were selected by the editorial board based on quality and quantity of the testimonials submitted from readers.

So, a big THANK YOU to the readers that submitted us for inclusion in the Top 100!  We would not have received this honor without you.  We truly appreciate you taking the time to say nice things about us, especially as we rely heavily on word of mouth to get our story out to our customers.  If you would like to see our listing, we are on the bottom of page 52.

As we have not advertised in this publication in the past, and did not solicit inclusion for this award in any way, this took us completely by (happy) surprise.

As Lauren Williams of District Administration mentions in her introduction to the winners, “This annual award alerts superintendents and other senior school leaders to the best products their colleagues around the country are using to help their districts excel.”  So, if you have not seen the winners, take a look, you might find a product that is a good fit for your K-12 School.

NetEqualizer News: November 2014


November 2014

Greetings!

Enjoy another issue of NetEqualizer News! This month, we discuss features for our 2015 NetEqualizer Releases, announce a last call for trading in old NE2000’s and Lite units, introduce our NetEqualizer Holiday Giving Campaign, and share a technical tip on how to export data from NetEqualizer’s Dynamic Real-Time Reporting (RTR). As always, feel free to pass this along to others who might be interested in NetEqualizer News.

A message from Art…
Art Reisman, CTO – APconnections

The holiday season is almost underway in the United States. Before I get caught up in thefancy thank-you

whirlwind of activities that seems to happen at this time of year, I’d like to pause and give thanks for all the blessings in my life. As we end our 11th year, I continue to be thankful for all of our loyal customers.

THANK YOU for putting your faith and trust in APconnections, we truly appreciate your business!

APconnections also likes to give back to those in need. You can read all about our NetEqualizer Holiday Giving Campaign below.

2015 NetEqualizer Release Plans

We have started planning out our 2015 releases. We are aiming for two releases in 2015:

8.2 – Extended RTRpenalties

Our first release (8.2) will be in the late spring/early summer timeframe. We continue our commitment to robust real-time reporting (RTR) by adding reports to extend our capabilities. 8.2 – Extended RTR is currently planned to include Penalty Graphs, Bandwidth Use by IP Graphs, a Pools Dashboard, Data Export Menus, and an enhanced Active Connections Table.

8.x – Cloud Reporting

As announced in our October Newsletter, we plan to offer data storage in a cloud environment. Cloud Reporting will give you access to longer periods of data, to help with your troubleshooting, capacity planning, and trend analysis needs. Look for more information in the coming months as we start to architect our solution.

We listen to you, and have taken into account feedback provided by those of you that have upgraded to 8.1 in our release planning. As always, if you have feature requests or suggestions, please contact us!

Once 8.2 reaches GA, these features will be free to customers with valid NetEqualizer Software and Support who are running version 8.1. If you are not current with NSS, or have not upgraded to 8.1, contact us today!

sales@apconnections.net

-or-

303-997-1300


Last Call! Trade in Your Older NE2000 or Lite Unit

As we have announced previously in this Newsletter, we are discontinuing support for older NE2000s (any NE2000 purchased prior to August 2011) and the Lite series as of 12/31/2014.

We are moving our NE2000 and Lite license levels onto the NE3000 platform, which can support running our 64-bit software, and is better positioned for the future (more memory, more processing power, etc.).

If you have not already traded in your older NE2000 or Lite unit, we recommend that you do so at this time. As part of our Lifetime Buyer’s Guarantee, we offer a generous trade-in credit of 50% of the original unit price toward a new unit. While you will still be able to trade-in older NE2000’s and Lite units in the future, this is our Last Call because time is running out on Support (NSS) for these units.

Not sure if your NE2000 is an older unit? Call or email us and we will look it up for you.

sales@apconnections.net

-or-

303-997-1300


NetEqualizer Holiday Giving Campaign

Join APconnections in giving back to worthy causes during this holiday season. For every new NetEqualizer that our customers purchase between now and 12/31/2014, APconnections will donate $25 to one of our selected charities.

It is that simple! Just buy the NetEqualizer that you were planning to get anyway in 2015, and you get to help us to do good for others, through the great work of these deserving charities!

To keep this simple, we have selected several charities, and will split the donation amongst them. Our charities for the NetEqualizer Holiday Giving Campaign are:

1) Toys for Tots: The mission for Toys for Tots is to collect new, unwrapped toys during October, November and December each year, and distribute those toys as Christmas gifts to less fortunate children in the community in which the campaign is conducted.

tft

2) The Hunger Project: The Hunger Project is a global, non-profit, strategic organization committed to the sustainable end of world hunger.

29DRt83

3) Doctors Without Borders: Doctors Without Borders works in nearly 70 countries providing medical aid to those most in need regardless of their race, religion, or political affiliation.

logo


Technical Tip: How to Export Your Data

Did you know there is a hidden feature in Release 8.1? Even though the menu option is not visible, it is possible to export the data in your reporting databases to csv files. You can export data for the previous 24 hours or data for the previous 4 weeks. What you do with it is up to you! Import it into Excel for easy graphing, save it locally for longer-term reporting, export data for a specific time period to analyze bandwidth-related issues, and more!export

Please note that the data is returned with Unix timestamps and is in bytes/second. Data for the 24 hour database is sampled every minute and data for the 4 week database is sampled every hour. To export your data, simply change the parameter “page” in the url to “export-data”. So, your URL would be something like:

[neteqIP]/newgui/RTR/index.php?page=export-data

If you need assistance with data export and are current on NSS, contact us at:

support@apconnections.net

-or-

303-997-1300

Please note that General Penalty Data is not available or exportable at this time.


Best Of The Blog

More Lies and Deceit From Your ISP

By Art Reisman – CTO – APconnections

Back in 2007, I wrote an article for PC Magazine about all the shenanigans that ISPs use to throttle bandwidth. The article set a record for online comments for one day, and the editor was happy. I recall, at that time, I felt like a lone wolf trying to point out these practices. Finally some redemption, this morning, the FTC is flexing it’s muscle and is now taking on AT&T for false claims with respect to unlimited data…

Photo Of The Month
santa
Interactive Robotic Santa
One of our staff members’ recently stumbled upon an Internet-controllable robotic Santa in his neighborhood. The Santa is viewable via web cam and can speak text entered into the website. It can also play music and dance. Santa was relatively quiet until recently when the URL went viral and Santa was speaking non-stop! Email us for a link to check out the Santacam – but beware that Santa has a gift for gab and no content filter.
Follow

Get every new post delivered to your Inbox.

Join 58 other followers

%d bloggers like this: